Issue 17425: Update OpenSSL versions in Windows builds (original) (raw)

This issue has been migrated to GitHub: https://github.com/python/cpython/issues/61627

classification

process

Created on 2013-03-14 22:10 by pitrou, last changed 2022-04-11 14:57 by admin. This issue is now closed.

Messages (13)
msg184199 - (view)	Author: Antoine Pitrou (pitrou) *	Date: 2013-03-14 22:10
OpenSSL recently issued a security advisory (*). Our bundled OpenSSL versions seem to be vulnerable. They should be updated to OpenSSL 1.0.1d, 1.0.0k or 0.9.8y depending on the version. (*) http://www.openssl.org/news/secadv_20130205.txt Apologies if this has already been handled and I've misunderstood Tools/buildbot/external-common.bat.
msg184204 - (view)	Author: Martin v. Löwis (loewis) *	Date: 2013-03-14 22:43
No, it hasn't been handled. I'll look into it next week.
msg184920 - (view)	Author: Benjamin Peterson (benjamin.peterson) *	Date: 2013-03-21 22:59
Martin, is something that needs to be worked on before the rc this weekend?
msg184966 - (view)	Author: Martin v. Löwis (loewis) *	Date: 2013-03-22 14:08
Indeed. I hope to get to it later this evening.
msg185006 - (view)	Author: Roundup Robot (python-dev)	Date: 2013-03-22 21:02
New changeset 3d76dbbbb0cc by Martin v. Loewis in branch '2.7': Issue #17425: Build against openssl 0.9.8y on Windows. http://hg.python.org/cpython/rev/3d76dbbbb0cc
msg185008 - (view)	Author: Martin v. Löwis (loewis) *	Date: 2013-03-22 21:09
0.9.8y seems to work fine on 2.7; I'll do the other ones later.
msg185009 - (view)	Author: Benjamin Peterson (benjamin.peterson) *	Date: 2013-03-22 21:10
Thank you!
msg185159 - (view)	Author: Roundup Robot (python-dev)	Date: 2013-03-24 21:12
New changeset 0fb7db2f9b5e by Martin v. Loewis in branch '3.2': Issue #17425: Build with openssl 1.0.0k on Windows. http://hg.python.org/cpython/rev/0fb7db2f9b5e New changeset 8051e6ff97e2 by Martin v. Loewis in branch '3.3': #17425: null merge 3.2 http://hg.python.org/cpython/rev/8051e6ff97e2
msg185160 - (view)	Author: Roundup Robot (python-dev)	Date: 2013-03-24 21:53
New changeset 840a90e8cefd by Martin v. Löwis in branch '3.3': Issue #17425: Build with openssl 1.0.1d on Windows. http://hg.python.org/cpython/rev/840a90e8cefd New changeset a626a32bd42d by Martin v. Löwis in branch 'default': #17425: merge 3.3 http://hg.python.org/cpython/rev/a626a32bd42d
msg185161 - (view)	Author: Martin v. Löwis (loewis) *	Date: 2013-03-24 21:53
This is now fixed.
msg185504 - (view)	Author: Antoine Pitrou (pitrou) *	Date: 2013-03-29 17:42
Sorry to reopen :-). It seems OpenSSL 1.0.1d was a kind of "brown paper bag" release, they've released 1.0.1e since (some of test_ssl can fail on 1.0.1d and succeed on 1.0.1e, as experienced on my Linux setup; the Windows buildbots also exhibit similar failures). Following is their description of the fix: “Changes between 1.0.1d and 1.0.1e [11 Feb 2013] *) Correct fix for CVE-2013-0169. The original didn't work on AES-NI supporting platforms or when small records were transferred. [Andy Polyakov, Steve Henson]”
msg188020 - (view)	Author: Martin v. Löwis (loewis) *	Date: 2013-04-28 20:48
Please don't reopen issues. If there is a bug in the current setup, please submit a new reporting indicating what the problem is.
msg189019 - (view)	Author: Antoine Pitrou (pitrou) *	Date: 2013-05-12 11:24
Opened #17962 to tackle the broken OpenSSL issue.